From mboxrd@z Thu Jan 1 00:00:00 1970 Return-Path: X-Spam-Checker-Version: SpamAssassin 3.4.0 (2014-02-07) on aws-us-west-2-korg-lkml-1.web.codeaurora.org X-Spam-Level: X-Spam-Status: No, score=-9.8 required=3.0 tests=HEADER_FROM_DIFFERENT_DOMAINS, INCLUDES_PATCH,MAILING_LIST_MULTI,SIGNED_OFF_BY,SPF_HELO_NONE,SPF_PASS, USER_AGENT_GIT autolearn=ham autolearn_force=no version=3.4.0 Received: from mail.kernel.org (mail.kernel.org [198.145.29.99]) by smtp.lore.kernel.org (Postfix) with ESMTP id EB434C433E0 for ; Fri, 15 May 2020 17:17:14 +0000 (UTC) Received: from kanga.kvack.org (kanga.kvack.org [205.233.56.17]) by mail.kernel.org (Postfix) with ESMTP id BB2F6206D8 for ; Fri, 15 May 2020 17:17:14 +0000 (UTC) DMARC-Filter: OpenDMARC Filter v1.3.2 mail.kernel.org BB2F6206D8 Authentication-Results: mail.kernel.org; dmarc=none (p=none dis=none) header.from=arm.com Authentication-Results: mail.kernel.org; spf=pass smtp.mailfrom=owner-linux-mm@kvack.org Received: by kanga.kvack.org (Postfix) id E74918E0018; Fri, 15 May 2020 13:17:00 -0400 (EDT) Received: by kanga.kvack.org (Postfix, from userid 40) id E02638E0001; Fri, 15 May 2020 13:17:00 -0400 (EDT) X-Delivered-To: int-list-linux-mm@kvack.org Received: by kanga.kvack.org (Postfix, from userid 63042) id C9FB78E0018; Fri, 15 May 2020 13:17:00 -0400 (EDT) X-Delivered-To: linux-mm@kvack.org Received: from forelay.hostedemail.com (smtprelay0234.hostedemail.com [216.40.44.234]) by kanga.kvack.org (Postfix) with ESMTP id B32A08E0001 for ; Fri, 15 May 2020 13:17:00 -0400 (EDT) Received: from smtpin01.hostedemail.com (10.5.19.251.rfc1918.com [10.5.19.251]) by forelay01.hostedemail.com (Postfix) with ESMTP id 7B1FB18113973 for ; Fri, 15 May 2020 17:17:00 +0000 (UTC) X-FDA: 76819608600.01.chain71_2ed68bf17924 X-HE-Tag: chain71_2ed68bf17924 X-Filterd-Recvd-Size: 4204 Received: from foss.arm.com (foss.arm.com [217.140.110.172]) by imf39.hostedemail.com (Postfix) with ESMTP for ; Fri, 15 May 2020 17:17:00 +0000 (UTC) Received: from usa-sjc-imap-foss1.foss.arm.com (unknown [10.121.207.14]) by usa-sjc-mx-foss1.foss.arm.com (Postfix) with ESMTP id 81FB81063; Fri, 15 May 2020 10:16:59 -0700 (PDT) Received: from localhost.localdomain (unknown [172.31.20.19]) by usa-sjc-imap-foss1.foss.arm.com (Postfix) with ESMTPA id D50F93F305; Fri, 15 May 2020 10:16:57 -0700 (PDT) From: Catalin Marinas To: linux-arm-kernel@lists.infradead.org Cc: linux-mm@kvack.org, linux-arch@vger.kernel.org, Will Deacon , Dave P Martin , Vincenzo Frascino , Szabolcs Nagy , Kevin Brodsky , Andrey Konovalov , Peter Collingbourne , Alexander Viro Subject: [PATCH v4 19/26] fs: Handle intra-page faults in copy_mount_options() Date: Fri, 15 May 2020 18:16:05 +0100 Message-Id: <20200515171612.1020-20-catalin.marinas@arm.com> X-Mailer: git-send-email 2.20.1 In-Reply-To: <20200515171612.1020-1-catalin.marinas@arm.com> References: <20200515171612.1020-1-catalin.marinas@arm.com> MIME-Version: 1.0 Content-Transfer-Encoding: quoted-printable X-Bogosity: Ham, tests=bogofilter, spamicity=0.000000, version=1.2.4 Sender: owner-linux-mm@kvack.org Precedence: bulk X-Loop: owner-majordomo@kvack.org List-ID: The copy_mount_options() function takes a user pointer argument but no size. It tries to read up to a PAGE_SIZE. However, copy_from_user() is not guaranteed to return all the accessible bytes if, for example, the access crosses a page boundary and gets a fault on the second page. To work around this, the current copy_mount_options() implementation performs two copy_from_user() passes, first to the end of the current page and the second to what's left in the subsequent page. On arm64 with MTE enabled, access to a user page may trigger a fault after part of the buffer has been copied (when the user pointer tag, bits 56-59, no longer matches the allocation tag stored in memory). Allow copy_mount_options() to handle such intra-page faults by returning -EFAULT only if the first copy_from_user() has not copied any bytes. Signed-off-by: Catalin Marinas Cc: Alexander Viro Reviewed-by: Kevin Brodsky --- Notes: v4: - Rewrite to avoid arch_has_exact_copy_from_user() =20 New in v3. fs/namespace.c | 24 +++++++++++++++++++++--- 1 file changed, 21 insertions(+), 3 deletions(-) diff --git a/fs/namespace.c b/fs/namespace.c index a28e4db075ed..70aa60ccce57 100644 --- a/fs/namespace.c +++ b/fs/namespace.c @@ -3016,7 +3016,7 @@ static void shrink_submounts(struct mount *mnt) void *copy_mount_options(const void __user * data) { char *copy; - unsigned size; + unsigned size, left; =20 if (!data) return NULL; @@ -3027,12 +3027,30 @@ void *copy_mount_options(const void __user * data= ) =20 size =3D PAGE_SIZE - offset_in_page(data); =20 - if (copy_from_user(copy, data, size)) { + /* + * Attempt to copy to the end of the first user page. On success, + * left =3D=3D 0, copy the rest from the second user page (if it is + * accessible). copy_from_user() will zero the part of the kernel + * buffer not copied into. + * + * On architectures with intra-page faults (arm64 with MTE), the read + * from the first page may fail after copying part of the user data + * (left > 0 && left < size). Do not attempt the second copy in this + * case as the end of the valid user buffer has already been reached. + * Ensure, however, that the second part of the kernel buffer is + * zeroed. + */ + left =3D copy_from_user(copy, data, size); + if (left =3D=3D size) { kfree(copy); return ERR_PTR(-EFAULT); } if (size !=3D PAGE_SIZE) { - if (copy_from_user(copy + size, data + size, PAGE_SIZE - size)) + if (left =3D=3D 0) + /* return not relevant, just silence the compiler */ + left =3D copy_from_user(copy + size, data + size, + PAGE_SIZE - size); + else memset(copy + size, 0, PAGE_SIZE - size); } return copy;